Load balancer access logging should be enabled

Description

Access logs record information about every HTTP and TCP request a load balancer processes. Access logging should be enabled in order to analyze statistics, diagnose issues, and retain data for regulatory or legal purposes.

Remediation Steps

AWS Console

The steps are different for classic load balancers (ELB) and next generation load balancers (ELBv2), such as application load balancers and network load balancers. See the product comparison for more information.

For classic load balancers, follow these steps:

  • Navigate to EC2.

  • In the navigation pane, choose Load Balancers.

  • Select your load balancer.

  • On the Description tab, choose Configure access logs.

  • Check Enable Access Logs.

  • Specify an interval in the Interval drop-down.

  • Provide a name for your S3 bucket and check Create this location for me or provide the name for a bucket which already exists.

  • Click Save.

For next generation load balancers, follow these steps:

  • Navigate to EC2.

  • In the navigation pane, choose Load Balancers.

  • Select your load balancer.

  • On the Description tab, choose Edit attributes.

  • On the Edit load balancer attributes page, Choose Configure access logs.

  • Check Enable for Access Logs.

  • Provide a name for your S3 bucket and check Create this location for me or provide the name for a bucket which already exists.

  • Click Save.

AWS CLI

The steps are different for classic load balancers and next generation load balancers.

For classic load balancers, follow these steps:

The steps are different for classic load balancers and next generation load balancers.

For classic load balancers, follow these steps:

  • Create a .json file that enables Elastic Load Balancing to capture and deliver logs every 60 minutes to an S3 bucket that you have created for the logs:

{
  "AccessLog": {
    "Enabled": true,
    "S3BucketName": "my-loadbalancer-logs",
    "EmitInterval": 60,
    "S3BucketPrefix": "my-app"
  }
}
  • To enable access logs for your load balancer:

    • aws elb modify-load-balancer-attributes --load-balancer-name <my-loadbalancer> --load-balancer-attributes file://my-json-file.json

For next generation load balancers, follow these steps:

  • Create a .json file that enables Elastic Load Balancing to capture and deliver logs to an S3 bucket that you have created for the logs:

{
    "LoadBalancerArn": "<my-loadbalancer-arn>",
    "Attributes": [
        {
            "Key": "access_logs.s3.enabled",
            "Value": "true"
        },
        {
            "Key": "access_logs.s3.bucket",
            "Value": "my-loadbalancer-logs"
        },
        {
            "Key": "access_logs.s3.prefix",
            "Value": "my-app"
        }
    ]
}
  • To enable access logs for your load balancer:

    • aws elbv2 modify-load-balancer-attributes --cli-input-json file://my-json-file.json

Terraform

  • For classic load balancers, ensure that the aws_elb resource has an access_logs block configured with a bucket.

  • For next generation load balancers, ensure that the aws_lb resource has an access_logs block configured with a bucket.

Example Configuration

resource "aws_elb" "example1" {
  access_logs {
    bucket = “elb-log.testbucket.com”
  }
  # other required fields here
}

resource "aws_lb" "example2" {
  access_logs {
    bucket = “lb-log.testbucket.com”
  }
  # other required fields here
}